Security Advisories - thorsten/phpmyfaq

thorsten/phpmyfaq Security Advisories for 4.1.1 (21)

[HIGH] phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration

PKSA-x1b3-f9q9-1brm GHSA-w9xh-5f39-vq89

Affected version: <4.1.3

Reported by:
GitHub
[HIGH] phpMyFAQ: Default Empty API Token Authentication Bypass

PKSA-jk8b-rmby-gztg GHSA-gp95-j463-vv28

Affected version: <=4.1.2

Reported by:
GitHub
[HIGH] phpMyFAQ: IDOR Account Takeover

PKSA-ttcw-fg74-jv2w GHSA-xvp4-phqj-cjr3

Affected version: <4.1.3

Reported by:
GitHub
[HIGH] phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

PKSA-64xv-jbdm-pg2q GHSA-9qv9-8xv6-5p35

Affected version: <4.1.3

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check

PKSA-bdr6-q3mq-xh2p CVE-2026-45009 GHSA-9r8r-x3vg-6xh4

Affected version: <4.1.2

Reported by:
GitHub
[MEDIUM] phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

PKSA-ybf5-231k-fw57 CVE-2026-46360 GHSA-wj3q-vw2v-3rj3

Affected version: <4.1.2

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

PKSA-r4h3-pdnk-t517 CVE-2026-46363 GHSA-h36g-93qx-rxgr

Affected version: <4.1.2

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

PKSA-bgqy-s1r8-zchm CVE-2026-46365 GHSA-5h62-f8fg-4w7q

Affected version: <4.1.2

Reported by:
GitHub
[CRITICAL] phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

PKSA-trv8-7xnx-t8d9 GHSA-289f-fq7w-6q2w

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins

PKSA-djzh-dx9x-j5hd GHSA-gh9p-q46p-57g2

Affected version: <=4.1.1

Reported by:
GitHub
[HIGH] phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

PKSA-k9ft-9rnh-h8dn GHSA-99qv-g4x9-mgc3

Affected version: <=4.1.1

Reported by:
GitHub
[HIGH] phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields

PKSA-n87n-9t5q-zcf5 GHSA-pm8c-3qq3-72w7

Affected version: <=4.1.1

Reported by:
GitHub
[CRITICAL] phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

PKSA-q6mm-vp1w-mgjs GHSA-9pq7-mfwh-xx2j

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ

PKSA-42b7-bh2b-d7nn GHSA-jrc5-w569-h7h5

Affected version: =4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering

PKSA-198b-7kr6-ksdh GHSA-pqh6-8fxf-jx22

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

PKSA-pmsp-dtdj-k1f9 GHSA-rm98-82fr-mcfx

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

PKSA-sw8q-jkxw-m11r GHSA-whqh-9pq5-c7r3

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

PKSA-jr2y-dd2x-qtks GHSA-f5p7-2c9q-8896

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

PKSA-p58s-jb5m-qycz GHSA-7cx3-2qx2-3g6w

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check

PKSA-b77f-s5cd-b1qh GHSA-hpgw-ww76-c68r

Affected version: <=4.1.1

Reported by:
GitHub
[HIGH] phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering

PKSA-1zxw-krpv-74xh GHSA-9525-27vj-c8r8

Affected version: =4.1.1

Reported by:
GitHub

thorsten/phpmyfaq Security Advisories for 4.1.1 (21)

[HIGH] phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration

[HIGH] phpMyFAQ: Default Empty API Token Authentication Bypass

[HIGH] phpMyFAQ: IDOR Account Takeover

[HIGH] phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

[MEDIUM] phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check

[MEDIUM] phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

[MEDIUM] phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

[MEDIUM] phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

[CRITICAL] phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

[MEDIUM] phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins

[HIGH] phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

[HIGH] phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields

[CRITICAL] phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

[MEDIUM] phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ

[MEDIUM] phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering

[MEDIUM] phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

[MEDIUM] phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

[MEDIUM] phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

[MEDIUM] phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

[MEDIUM] phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check

[HIGH] phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering